Blog | G5 Cyber Security

Burp Suite Pro: Handling CSRF Tokens in Sequencer

G5 Cyber Security

TL;DR

This guide shows you how to deal with Cross-Site Request Forgery (CSRF) tokens when using Burp Suite Pro’s sequencer. We’ll cover identifying them, automatically handling them with macros, and manually adjusting requests if needed.

Identifying CSRF Tokens

  1. Observe the traffic: Use Burp Proxy to intercept your normal web browsing. Look for parameters in POST requests that change every time you submit a form or perform an action. These are likely CSRF tokens.
  2. Check request/response patterns: Pay attention to how these parameters are generated. Are they random strings? Do they come from hidden fields in forms? Are they set as cookies?
  3. Look for names like: Common CSRF token parameter names include csrf_token, XSRF-TOKEN, authenticity_token, or similar.

Automatically Handling Tokens with Macros

Burp Suite Pro’s macro feature is the easiest way to handle CSRF tokens automatically.

  1. Record a Macro: Go to Proxy > Options > Macro. Click ‘Add’.
  2. Start Recording: Click ‘Start Recording’. Perform the action that requires the CSRF token (e.g., submit a form). This will capture the request that fetches the token and the subsequent request that uses it.
  3. Stop Recording: Click ‘Stop Recording’. Burp Suite Pro will show you the captured requests.
  4. Edit the Macro: Review the macro steps. You’ll typically see two steps:
    • Step 1: Request to fetch the CSRF token (e.g., a GET request for a page containing a form).
    • Step 2: The POST request that uses the token.
  5. Configure Macro Execution: In the macro editor, select ‘Execute before each request’. This ensures Burp Suite Pro fetches a new token before every request to the target application.
  6. Apply the Macro: Select the scope you want the macro to apply to (e.g., your entire target domain).

Manually Handling Tokens in Sequencer

If macros don’t work perfectly, or for more complex scenarios, you can manually handle tokens.

  1. Send a Request to Fetch the Token: Before starting the sequencer, send a request to the endpoint that provides the CSRF token.
  2. Extract the Token Value: Use Burp Repeater or Intruder to extract the token value from the response. 
    // Example using regex in Burp Repeater's search function:
    <input type="hidden" name="csrf_token" value="(.*)">
  3. Add the Token to Your Sequencer Request: In your sequencer request, add the CSRF token parameter with the extracted value. You can do this directly in the request editor. 
    POST /some/endpoint HTTP/1.1
Host: example.com
...
Content-Type: application/x-www-form-urlencoded

param1=value1&csrf_token=YOUR_TOKEN_VALUE
  4. Repeat for Each Request: The sequencer will send multiple requests. You’ll need to fetch a new token and update the request before each iteration if the tokens expire quickly. This can be automated with scripting (see below).

Scripting for Token Refresh

For frequently changing CSRF tokens, use Burp Suite Pro’s Python scripting capabilities to automate token fetching.

  1. Write a Script: Create a Python script that fetches the CSRF token before each request in the sequencer.
  2. Use the IBurpRequestInfo interface: This allows you to modify requests before they are sent. 
    from burp import IBurpRequestInfo

class MyExtension:
    def __init__(self):
        pass

    def process_request(self, request): # Example function
        # Fetch CSRF token here
        token = get_csrf_token()
        request.addParameter("csrf_token", token)
  3. Load the Script: Load your script into Burp Suite Pro using Extender > Options > Python Scripts.
Exit mobile version